Supervalu Getaway Breaks/Loyaltybuild Payment Information Compromised

vicwatson

Anyone get an email as follows -

Dear XXXXXXXXXXXXXXXX

We are contacting you to advise you that Loyaltybuild, who manage the Getaway Breaks programme on behalf of SuperValu, is reviewing the security of the personal and payment card information you provided to them when making a recent booking.

Please note this issue is exclusive to Getaway Breaks. It does not impact SuperValu's other online websites or any other customer transactions by payment card. Getaway Breaks is the only element of our business operated by Loyaltybuild.

This review is taking place as Loyaltybuild has advised us that their system may have been compromised by a third party.

The protection of your information is an absolute priority for us at all times and as yet there is no information to suggest that any data has been obtained.

However, as a precautionary measure, we advise you to review your account and should you suspect any unusual activity on your payment card, we recommend that you immediately contact your bank or financial institution.

Please treat any unsolicited communication you may receive relating to this issue claiming to represent SuperValu Getaway Breaks or Loyaltybuild with caution.

Please be reassured by the fact that all credit card information held by Loyaltybuild is encrypted and they are taking all the reasonable actions to inform the relevant financial institutions of this issue.

We apologise for any unnecessary concern that this notification may create. However it is SuperValu's priority at all times to put our customers first and do all in our power to act in your best interests.

The Getaway Breaks booking system has been temporarily suspended, pending a thorough investigation of the Loyaltybuild system. Loyaltybuild is continuing to resolve this issue internally and with the Data Protection Commissioner. We will update you on any relevant information as it becomes available. Please note all Getaway Break bookings made to date have been processed and completed.

If you have any immediate queries, please contact the customer helpline at 0818 220 088 with any concerns which you may have.

Sincerely,

[FONT=Arial, Helvetica, sans-serif][/FONT]
Director
SuperValu

And they provide a PREMIUM RATE NUMBER (from a mobile anyway) :mad:

And they haven't bothered to provide dates as to when they were compromised and dates for when potential booking cards are at risk :mad:

Anyone got any more information on this?

Skid X

Article about it here, although there isn't much information

http://www.irishtimes.com/news/consumer/numbers-hit-by-rewards-scheme-security-breach-now-over-40-000-1.1584554

More than 40,000 people in Ireland are now known to have had their financial details potentially compromised after an electronic security breach at a company which oversees rewards schemes run by Supervalu, Axa Insurance and Stena Line.

39,000 Supervalu customers who bought its “getaway breaks” have been exposed while a further 4,000 people who were part of the insurance company’s loyalty reward programme which is also run by the Clare-based US-owned company Loyaltybuild have been affected.

dudara

Moved to Information Security

dudara

Jayop

Thanks for posting. I didn't get the letter, but we've bought breaks a good few times so I'll be keeping a good eye on my account.

philthrill69

Is this the reason the getaway breaks website is down for the last two weeks? http://www.supervalugetawaybreaks.com/

osullc10

I just got this email from Supervalu. I am presuming that a database administered by Loyaltybuild, which contained payment card data of Supervalu customers, was compromised. Does anybody know if the hackers got access to the actual numbers on the payment cards, or if they just got hashes of the card data? (Is that even how payment card data is stored?) The Irish Times article linked above indicates that the data was encrypted, but I'd like if Supervalu or somebody clarified this.

allthedoyles

News has just come through tonight that it is now a high risk that the system has been compromised by a third-party .

jo1978

I got an email from them at 10pm this evening to say they have only just discovered I cud be affected!!!! Im fuming how did they only realise now

jo1978

http://www.databreaches.net/supervalu-warns-customers-of-data-breach/

vicwatson

And they provide a PREMIUM RATE NUMBER (from a mobile anyway) to contact them !!!!!!! :mad::mad::mad:

I emailed them last week 5th November to ask for the dates for the period that was affected - NO REPLY.

Anyone notice the following from the email tonight -

At the moment this appears to also relate to bookings between January 2011 and February 2012. We became aware of this today from Loyaltybuild who manage and operate the SuperValu Getaway Breaks programme

Key word is ALSO

From the Indo website the statement clearly states the following -

“Based on this latest information from Loyalty Build, SuperValu are tonight contacting Getaway Breaks customers that there is a high risk that an unauthorised third party accessed the details of payment cards used to pay for Getaway Breaks between January 2011 and February 2012,” the statement read.

It said that 62,500 customers who made bookings during this period have been told to contact their bank or financial institution as soon as possible.

http://www.independent.ie/business/irish/over-60000-supervalu-customers-may-have-had-payment-card-data-leaked-29745157.html

So what is it Supervalu/Loyaltybuild?

For bookings between this period ONLY or what ???

You see I had made some bookings during that period and last April 2013 there was fraudulent activity on my card and I had to have it replaced - does this mean that I am ok now that I have new card since April 2013 (though I made a new booking with new card for August) ???

vicwatson

jo1978 wrote: »

http://www.databreaches.net/supervalu-warns-customers-of-data-breach/

Found this number on that website -

For customer queries please call the Loyaltybuild Helpline on 065 686 5200. The helpline is open Monday to Sunday from 9am to 8pm.

vicwatson

That email from tonight -

As a follow on from our letter to you last week, we can confirm that there is a high risk that an unauthorised third party has had access to the details of the payment card you used to pay for a Getaway Break. At the moment this appears to also relate to bookings between January 2011 and February 2012. We became aware of this today from Loyaltybuild who manage and operate the SuperValu Getaway Breaks programme.

The protection of your information is an absolute priority for us and we are extremely concerned about the security of your card. Therefore, we recommend that you contact your bank or financial institution as soon as possible, and immediately check the transactions on your card for any suspicious activity. Please treat any unsolicited communication you may receive relating to this issue claiming to represent SuperValu Getaway Breaks or Loyaltybuild with extreme caution.

We apologise for the worry and inconvenience that this issue may cause. However, it is SuperValu's priority at all times to put our customers first and do all in our power to act in your best interests. We have communicated with you immediately following confirmation of this issue by Loyaltybuild to us.

This issue is exclusive to Getaway Breaks. It does not impact SuperValu's other websites or any other transactions made by payment card in store or online. The only breach of data security, which has arisen, was in data collected and held by Loyaltybuild.

The Getaway Breaks booking system is suspended until further notice, pending a thorough investigation of the Loyaltybuild system. Loyaltybuild is continuing to resolve this issue internally. The Data Protection Commissioner has been notified. We will update you on any relevant information as it becomes available. Please note all Getaway Break bookings made to date have been processed and completed.

If you have any queries, please contact the Republic of Ireland customer helpline at
0818 220 088 or the Northern Ireland customer helpline at 0870 178 2002 with any concerns you may have. The helpline will be opened from 9am tomorrow morning.

Sincerely,

Ray Kelly
Marketing Director
SuperValu

jo1978

The email I received says
'At the moment this appears to relate to bookings between January 2011 and February 2012. We became aware of this today from Loyaltybuild who manage and operate the SuperValu Getaway Breaks programme.'
So it cud affect other dates too.....

professore

I worked with some of the people in Loyaltybuild on a project a few years ago. Don't understand why they were storing credit card details in the first place - surprises me to be honest. Don't they know this is an invitation to be hacked? Might as well put an ad on the web saying you have a shed full of cash, here are the GPS coordinates, but you have faith in your extra strong padlock?

Dermot Illogical

http://www.newstalk.ie/Supervalu-security-breach-more-serious-than-thought

allthedoyles

I called into BOI today and they are going to issue a new card , due to this high risk .

Anyone know where I can get a claim form ?

shamrock55

If money had been taken from a cc would something show on the statement,or would money be dissapearing and not show anything on the statement

hmmm

Why have we not been told yet who the other clients were of this company? All we know is SuperValu, but there are a lot more than SuperValue customers affected.

hmmm

shamrock55 wrote: »

If money had been taken from a cc would something show on the statement,or would money be dissapearing and not show anything on the statement

It would be on the statement. I wouldn't worry about it, but just keep an eye on your statements. Cancel your card if you'd prefer.

To be honest, I'd say most of the world's credit cards have already been stolen by someone somewhere.

vicwatson

I made some bookings during the period Jan 2011 & Feb 2012 and last April 2013 there was fraudulent activity on my card and I had to have it replaced - does this mean that I am ok now that I have new card since April 2013 (though I made a new booking with new card for August) ???l

vicwatson

dudara wrote: »

Moved to Information Security

dudara

Is this not a consumer issue no?

Dermot Illogical

vicwatson wrote: »

I made some bookings during the period Jan 2011 & Feb 2012 and last April 2013 there was fraudulent activity on my card and I had to have it replaced - does this mean that I am ok now that I have new card since April 2013 (though I made a new booking with new card for August) ???l

You're probably caught up in it twice. Your new card should be considered compromised.

MadsL

vicwatson wrote: »

Anyone get an email as follows -



And they provide a PREMIUM RATE NUMBER (from a mobile anyway) :mad:

And they haven't bothered to provide dates as to when they were compromised and dates for when potential booking cards are at risk :mad:

Anyone got any more information on this?

Contact the Data Protection Commissioner if you are getting the run around.

http://www.dataprotection.ie/docs/Data-Breach-Handling/901.htm

vicwatson

Dermot Illogical wrote: »

You're probably caught up in it twice. Your new card should be considered compromised.

Why? how?

Do we know the full date period in which the cards that were used for bookings were compromised? I've had no fraudulent activity on my new card anyways..

Thanks

Dermot Illogical

vicwatson wrote: »

Why? how?

Do we know the full date period in which the cards that were used for bookings were compromised? I've had no fraudulent activity on my new card anyways..

Thanks

Jan 2011 - Oct 2013 is the time period.
To be honest I'd consider any data they've ever held compromised at this stage.

You've had no fraudulent activity on your new card...yet.

hmmm

vicwatson wrote: »

Do we know the full date period in which the cards that were used for bookings were compromised?

No. The information we've received has been incomplete and inconsistent. We've gone from 7,000 compromised to 70,000 to 100,000 to 400,000 to 1.5 million (per the Irish Times) in the space of 48 hours. FFS, just get a list of all the credit cards and start from there by informing people.

vicwatson

Dermot Illogical wrote: »

Jan 2011 - Oct 2013 is the time period.
To be honest I'd consider any data they've ever held compromised at this stage.

You've had no fraudulent activity on your new card...yet.

Is this because I made a new booking with my NEW credit card in the period Feb 2012 (albeit from April 2013) to now ?? and therefore fraudulent activity could still occur? Have I got that right?

vicwatson

hmmm wrote: »

No. The information we've received has been incomplete and inconsistent. We've gone from 7,000 compromised to 70,000 to 100,000 to 400,000 to 1.5 million (per the Irish Times) in the space of 48 hours. FFS, just get a list of all the credit cards and start from there by informing people.

100% agree

Either we are being given no information, wrong information or incomplete information.

IIRC Will Goodbody on RTE 9 news said that the dickheads that stole the information have the credit card holders address and phone number too - how ????

And

That people are advised to change their PIN number - why ??????

And as for Supervalu they've gone into hiding.

No correct direction or coordination from anywhere which is very worrying if this occured on a larger scale.

I take it the DPC will be asking why all these details along with the three digits on back of card were being stored by loyalty build?

allthedoyles

So anyone know what is the solution to this problem ?

Supervalu apologise - they advise to contact bank as soon as possible .

I called into bank today - they had no info on this and were more worried about the ATM skimming / scamming .

I took it upon myself to cancel my card and now have to wait 3-5 working days for new Visa Debit Card.

markpb

ninja900 wrote: »

According to this Irish Times article http://www.irishtimes.com/news/technology/number-hit-by-clare-cyber-attack-climbs-to-1-5-million-1.1592584 it appears that card numbers including CVV were stored unencrypted. This is strictly amateur hour stuff, I hope the DPC rides these guys sideways.

It won't be just DPC they have to worry about. Visa/MasterCard and their acquiring banks can issue massive fines over breaches like this and they'll probably have trouble finding a bank acquire for them in the future.

shamrock55

We used a cc for one of those super value breaks last year but i have never noticed any suspicious activity on my cards (yet)
if i ring the cc company and ask them to cancel my cc and issue a new one with new acc no and security no etc will they do this and will that sort this problem